The personal blog of Peter Lee a.k.a. "China Hand"... Life is a comedy to those who think, a tragedy to those who feel, and an open book to those who read. You are welcome to contact China Matters at the address chinamatters --a-- prlee.org or follow me on twitter @chinahand.

Wednesday, December 17, 2014

Did the Senkakus Sink Sony?

[Update, Dec. 19:

I am not blown away by the US attribution of the hack to
North Korea.

On technical grounds, there’s problems like this, pointed out by Jeffrey Carr (h/t to “@SaiGonSeamus), who wrote a book on cyberwarfare:

The White House appears
to be convinced through "Signals intelligence" that the North
Korean government planned and perpetrated this attack against Sony:

In one new detail, investigators have uncovered an instance
where the malicious software on Sony’s system tried to contact an Internet
address within North Korea

There is a common misconception that
North Korea's ITC is a closed system therefore anything in or out must be
evidence of a government run campaign. In fact, the DPRK has contracts with
foreign companies to supply and sustain its networks. Those companies are:

Lancelot Holdings

Loxley Pacific

Shin Satellite Corp

Orascom Telecomms Holding

Each offers a different service, but
Loxley Pacific, a Thailand joint venture involving Loxley (Thailand), Teltech
(Finland), and Jarangthai (Taiwan).

Loxley Pacific is a subsidiary of Loxley, a Thai public company
that provides a variety of products and services throughout the Asia Pacific
region. According to its 2013
annual report, Loxley has 809 permanent staff and 110 contract staff.

Loxley Pacific provides
fixed-telephone lines, public payphone, mobile phones, internet, paging,
satellite communications, long-distance/international services, wire or
wireless in the Rajin-Sonbong Free Economic and Trade Zone. Star JV is North
Korea's internet service run as a joint
venture between the North Korean government and Loxley Pacific.

One of the easiest ways to
compromise the Internet backbone of a country is to work for or be a vendor to
the company which supplies the backbone. For the DPRK, that's Loxley, based in
Bangkok. The geolocation
of the first leak of the Sony data on December 2 at 12:25am was traced to
the St. Regis hotel in Bangkok, an approximately 13 minute drive from Loxley
offices.

This morning, Trend
Micro announced that the hackers probably spent months collecting passwords
and mapping Sony's network. That in addition to the fact that the attackers
never mentioned the movie until after the media did pretty much rules out
"The Interview" as Pyongyang's alleged reason for retaliation. If one
or more of the hackers involved in this attack gained trusted access to Loxley
Pacific's network as an employee, a vendor, or simply compromised it as an
attacker, they would have unfettered access to launch attacks from the DPRK's
network against any target that they wish. Every attack would, of course, point
back to the hated Pyongyang government.

Under international law, "the
fact that a cyber operation has been routed via the cyber infrastructure
located in a State is not sufficient evidence for attributing the operation to
that State" (Rule 8, The Tallinn Manual). The White House must responsibly
evaluate other options, such as this one, before taking action against another
nation state. If it takes such action, and is proved wrong later, which it
almost certainly will be, the reputation of the U.S. government and the
intelligence agencies which serve it will be harmed.

China may have helped North Korea carry out the hacking attack on Sony
Pictures, a US official has told Reuters.

The official, who spoke on condition of anonymity, said the conclusion of
the US investigation was to be announced later by federal authorities. …There were also reports on Friday that Iran and Russia may have also helped
the North Korean hackers.

The software used in the hacking was at a level of sophistication not
previously seen in past North Korean attacks, a US intelligence source told Fox News, adding that China, Iran and Russia had
all used the technology previously.

Bear in mind, this is from the anonymous official who’s
making the case for North Korea.

Also, unfortunately, there is the whole political angle.

When America, even in the form of a Japan-owned movie
studio, is attacked, the US government wants to strike when the iron is hot,
i.e. when fear and anger are at a fever pitch, and the sense of outrage is unencumbered
by second thoughts like “Do I really care what happens to Sony?” "How far am I willing to go to defend Seth Rogen's freedom of expression?" or even "Did the hackers actually do us all, including Rogen & Franco, a favor by removing The Interview--by all accounts a real stinker--from the market place?"

Unfortunately, cyberattacks don’t lend themselves to quick
attribution or, for that matter, even ultimate attribution.And for a government that does not want to
make a spectacle of its impotence, waiting on due process and evidentiary
niceties to produce the conclusion, “Well, the circumstances argue this, but we
could never prove it in a court of law” doesn’t really cut it.

I have a suspicion that the United States has an app for
that: blame somebody, preferably somebody unpopular, as quickly and
categorically as possible.

So I see the quick attribution of the hack to North Korea
part of the “Infowar” mindset, one that obsesses inside-the-Beltway types but I
don’t think is really on anybody else’s radar: the idea that the government has
to be able to manipulate and guide public opinion even in less than crystal
clear situations, if it has hopes of being effective.

In other words, When in doubt, finger the bad guy.There’s no downside, only upside.

[On 9/11] Rumsfeld ordered the military to begin working on strike
plans. And at 2:40 p.m., the notes quote Rumsfeld as saying he wanted
"best info fast. Judge whether good enough hit S.H." – meaning Saddam
Hussein – "at same time. Not only UBL" – the initials used to
identify Osama bin Laden.
…
"Go massive," the notes quote him as saying. "Sweep it all up.
Things related and not."

Who’s going to stand up and defend Kim Jung Un and the idea of due process and legal rigor in dealing with North frickin' Korea? Nobody. And we've now got a free turn to take another swing at North Korea if and when we want to.

My melancholy prediction: even as cybercrimes become harder to attribute, governments will become quicker, more vociferous, and less scrupulous in providing those attributions.

CH]

I came over this measured exercise
in opinion journalism penned by “Alec Ross, Senior Fellow at
Columbia University's School of International & Public Affairs” over
at Huffington Post:

North Korea is a miserable, backward,
hellhole of a place. It has a per capita GDP of less than $2,000 -- trailing
Yemen, Tajikistan and Chad -- and about one-sixteenth the size of the GDP of
South Korea. The Hermit Kingdom derives its power through the twin pillars of
state repression and an all-encompassing propaganda apparatus.

This poor, delusional country managed
to wallop Sony after it objected to the content of some movie which I can't
remember the name of at the present moment but which looks boring and stupid. ..

Kinda funny, in a way, since the FBI has stated there isn’t
sufficient evidence to attribute the attack to North Korea at the present time,
and in fact some people are pointing fingers at the People’s Republic of China
instead.More about China later.

Hmmm, I said to myself, and I surfed off to find out whether
Mr. Ross was indeed a fellow at some hallowed Ivy, or perhaps the meth-crazed
denizen of some non-accredited on-line institution in Columbia, South Carolina.

Alec Ross (born November 30, 1971) was Senior Advisor for Innovation
to Secretary of State Hillary Clinton for the duration
of her term as Secretary of State, a role created for him that blends
technology with diplomacy.[2]
As Secretary Clinton's "tech guru,"[3]
Ross led State Department's efforts to find practical technology solutions for
some of the globe's most vexing problems on health care, poverty, human rights
and ethnic conflicts, earning him numerous accolades including the Distinguished Honor Award. In 2010 Ross
was named one of 40 leaders under 40 years old in International Development,[4]
and Huffington Post included him in their list of 2010 Game Changers as one of
10 "game changers" in politics.[5]
He is also one of Politico's 50 Politicos to Watch as one of "Five people
who are bringing transformative change to the government."[6]
Foreign Policy magazine named Ross a Top Global Thinker in 2011.[7]
U.S. Ambassador to the United Nations Samantha Power, speaking at the White
House referred to Alec Ross as "One of the most creative people probably
that the U.S. government has ever known." [8]
Profiled in 2011, Time Magazine describes how Ross is incorporating digital
platforms into the daily lives of U.S. diplomats and his support of programs to
train activists in the Middle East.[9]
Time Magazine also named Alec Ross one of the best Twitter feeds of 2012.[10]
In 2012, Newsweek named Alec to their Digital Power Index Top 100 influencers,
listing him among other "public servants defining digital regulatory
boundaries,"[11]
and the TriBeCa Film Festival awarded Ross a Disruptive Innovation Award.[12]
Alec Ross is recipient of the Oxford Internet Institute OII Award 2013.[13]

… In April 2009, Ross was tapped to join the State
Department. As Senior Advisor on Innovation, he successfully advocated for
new digital diplomacy tools.[25]
In front of a group of activists, Hillary Clinton described his work by saying
that "Alec Ross has been my right hand on all that we're doing for
internet freedom."[26]
He is spearheading the "21st Century Statecraft" initiative[27]
and led Civil Society 2.0, a program to educate and train grass-roots
organizations around the world to create Web sites, blog, launch text messaging
campaigns, and build online communities.[28]
Speaking to digital diplomacy's promise, Ross told The American Prospect,
"If Paul Revere had been a modern day citizen, he wouldn't have ridden
down Main Street. He would have tweeted."[27]

…During the Libyan uprising, Alec drove the State Department's efforts to
"restore communication networks in rebel-held territories such as
Benghazi, working with the late Amb. Chris Stevens, to fight the Internet blackout
imposed by Libyan leader Muammar al-Qaddafi."[32]
Ross' team also "provided communications technologies to opposition
members in the Syrian border areas and trained NGOs on how to avoid the
regime's censorship and cyber snooping."[32]

… In the eastern Democratic Republic of Congo, Ross … also put together a
mobile banking program for soldiers who haven’t been paid in years, empowering
them with the ability to securely transfer money and save through accounts over
cellphones.[28]

Gadzooks, I thought.Benghazi! No, really, I realized this is Hillary Clinton’s go-to guy for evil-empire related digital
policy, besties with Samantha Power, and also an indispensable, foundational figure
in the compilation of end-year listicles.

Upon reviewing these credentials, my concerns were allayed,
and I look forward to our 21st-century high speed, high efficiency digital justice system,
which pitches cumbersome anachronisms such as evidence and due process off the
steamship of modernity (to paraphrase my favorite Mayakovsky bit), and allows the
simultaneous posting of crime, sentence, and punishment on the pages of our new
court record, Huffpo.

But seriously.

The Sony hack apparently involves a major investment of time
and resources, which are available both to governments and to criminal
gangs.What makes the Sony hack kinda
special is that, once access was obtained and the goodies extracted, the
intruders torched the place and made a public spectacle of their crime.

Going the extra mile in vandalism and humiliation would seem
to argue some political purpose beyond simple malice, mischief, and greed, and
observers have naturally gravitated toward a narrative of North Korean revenge
for The Interview.

But, you know, maybe something Chinese.Not an operation sanctioned by the PRC
government, to be sure—the benefits are miniscule (unless Xi Jinping just
absolutely had to see Annie
pre-release) compared to the potentially immense diplomatic and economic costs—but
maybe some kind of off the books operation by rogue, nationalistic minded
hackers who decided to stick it to a vulnerable Japanese corporation as
punishment for the Japanese government’s confrontational attitude toward the
PRC over the Senkakus, the pivot, etc.

One of the more interesting cases bubbling along incybercrime is the early-December arrest of 77 (!) PRC nationals crammed into a house with
their computer gear in an upscale Nairobi neighborhood, allegedly with criminal
designs on the Kenyan banking system.

The PRC surfs and hacks the world looking for system
vulnerabilities, and I’m beguiled by the possibility that a government cyber
operation discovered a vulnerability in the Kenyan banking system, and a
freelancing group of hackers decided to exploit that information for some
private and profitable breaking and entering.

I suspect in the brave, new world of PRC hacking, there is a
growing cadre of entrepreneurially minded or ideologically driven hackers who
can bring impressive information, resources, and skills to bear on a chosen
objective.

Given the difficulties of identifying a smoking gun as to an
originating server—let alone a controlling individual or institution—Ross speculated a
private sector riposte which sounds rather ridiculous:

It is only a matter of
time before some hotshot group of engineers recognizes and stalls a cyber
attack and instead of calling the authorities (who can't do anything anyway),
the VP of Engineering orders a counter attack against the aggressor. If Sony
had a better engineering department --- if it were a little more Northern
California instead of Southern California -- I wonder what would have happened
if they had identified the source of the hack and shot back with a DDoS attack.
Would the North Koreans have considered this an "invasion" by the
United States or Japan (where Sony is actually headquartered). They are
complete lunatics, so they probably would.

I can only hope that, if Hillary Clinton is elected
president, they will give Alec Ross a phone that can only call 911 and a computer
that is not plugged in to the Internet.

Functionally, the Sony hack resembles the “Shamoon” hack of
the Aramco network in Saudi Arabia, itself perhaps retaliation for the
US/Israeli Stuxnet attack on Iran’s centrifuge operation.In addition to a data drain, Shamoon featured
the wiping of target hard drives and the presentation of a taunting message on
computer screens.

I wrote about Shamoon for Asia Times Online in 2013, and pointed out the implications of larger and more sophisticated
cyberintrustions.

[T]the
PRC and Russia have lined up behind a proposed "International Code of
Conduct for Internet Security", an 11-point program that says eminently
reasonable things like:

Not to use
ICTs including networks to carry out hostile activities or acts of aggression
and pose threats to international peace and security. Not to proliferate
information weapons and related technologies.

It
also says things like:

To cooperate
in combating criminal and terrorist activities which use ICTs [information and
computer technologies] including networks, and curbing dissemination of
information which incites terrorism, secessionism, extremism or undermines
other countries' political, economic and social stability, as well as their
spiritual and cultural environment. [11]

The United States, of course, has an
opposite interest in "freedom to connect" and "information
freedom," (which the Chinese government regards as little more than
"freedom to subvert") and has poured scorn on the proposal.

The theoretical gripe with the PRC/Russian proposal is that it endorses the
creation of national internets under state supervision, thereby delaying the
achievement of the interconnected nirvana that information technology
evangelists assure us is waiting around the next corner - and also goring the
ox of West-centric Internet governing organizations like ICANN.

So the Chinese proposal is going exactly nowhere.

The (genuine) irony here is that the Chinese and Russians are showing and
driving the rest of the world in their response to the undeniable dangers of
the Internet ecosystem, some of which they are themselves responsible for but
others - like Stuxnet - can be laid at the door of the US.

In response to hacking, the Internet as a whole has evolved beyond its open
architecture to a feudal structure of strongly-defended Internet fortresses,
with cyber-surfs free to roam the undefended commons outside the gates, glean
in the fields, and catch whatever deadly virus happens to be out there.

In recent months, the word "antivirus" has disappeared from the
homepages of Symantec and MacAfee as they have recognized that their reference
libraries of viruses can't keep up with the proliferation of millions of new
threats emerging every year, let alone a carefully weaponized packet of code
like Stuxnet, and protect their privileged and demanding users. Now the
emphasis - and gush of VC and government money - has shifted to
compartmentalizing data and applications and detecting, reducing the damage,
and cleaning up the mess after a virus has started rummaging through the
innards of an enterprise.

In other words, the Internet fortresses, just like their medieval analogues,
are increasingly partitioned into outer rampart, inner wall, and keep -
complete with palace guard - in order to create additional lines of defense for
the lords and their treasure.

In other words, they are starting to look like the Chinese and Russian national
internets.

It is, unfortunately, a simple and incontrovertible fact
that, if we want to effectively detect, block, and investigate cyberattacks,
the solution is tightly monitored, internally accountable national internets
along the lines implemented by the PRC, Iran, and, increasingly Russia and
Brazil.Under this model, states have the capability, right, and
responsibility to police their digital borders as they do their physical
borders.

This approach is, of course, anathema to Mr. Ross, as it
raises the specter of oppressive governments stifling dissent and inhibiting
free expression at the same time they pursue cybersaboteurs.

It also flies in the face of the US strategic and economic
interest in an open transnational network accessible to Google bots and NSA
penetration, that places American government and corporate entities at the profitable, vulnerable heart of the Internet, and makes it dependent on US good offices, just as the international
financial system still is today.

Unfortunately, the US, in its interest in sustaining an
open, transnational, and easily compromised Internet, is at the same time demonstrably unable and
unwilling to effectively secure it or police it fairly. That’s why the current Internet has the
structural robustness and integrity of a bag of shit thrown from a third-story
window.

And that’s why I’m afraid our response to outrages like the Sony hack will be to use the language of
deterrence and intimidation--and private sector vigilantism--to shift focus away from the profound and probably
irreconcilable contradictions that form the foundation of the current Internet.